On Monday 15 May 2006 10:53, Richard Lynch wrote: > On Sat, May 13, 2006 5:11 pm, Nick Wilson wrote: > > are there any security concerns with uploaded images? > > YES!!! Just what are the security concerns exactly? Assuming we're only focusing on attacks to the webserver[1] then I can only think of 2 (are there anymore?): 1) the uploaded file is a binary executable 2) the uploaded file is a "script" (perl/php/python/etc) In the case of (1), the attacker, having uploaded a malicious file would then have to find some way of getting it executed. On a un*x-like system the uploaded file would/should not have the executable bit set, so the attacker would have to find a way to set that bit AND to execute it. This would be very unlikely. In the case of (2), if the script relies on its shebang line to execute then it would have to overcome the same obstacles as (1) for it to get executed. Otherwise, eg in the case of PHP, it would have to rely on the web application to include()[2] or eval() the malicious file. Since it is supposed to be an image file then the web developer would/should not intentionally use include()/eval() on such files. However in poorly written applications where input to include()/eval() can come from the user/attacker and are not properly sanitised it is then that the attacker will have a field day. To summarise: the uploading of an executable masquerading as an image file can be protected against via coding at the application level > > My thought is that it wouldnt be too hard to have some kind of script > > masquerade as a gif file, and perhaps cause damage. More worrying and much harder to protect against are zero-day exploits against the graphics libraries themselves - libpng, libtiff, gd lib, zlib - have all had security problems in the past. > Or, for that matter, load the images in through http://php.net/gd and And the potential irony is that: in order to protect against executables masquerading as image files you trigger a zero-day exploit of gd :) I would love to hear Chris Shiflett's views on this. [1] as opposed to attacks on a user's browser when later on that file is accessed or downloaded [2] this includes (pun intended) include()'s siblings - require() etc. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ New Year Resolution: Ignore top posted posts -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
